From 3514396341c1167bdc3cc5f3fe8a95f88248b322 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 13:48:18 +0000 Subject: [PATCH 01/23] added vars --- .../tunnel-endpoints/configure-tunnels.mdx | 455 ++++++++++++++++++ 1 file changed, 455 insertions(+) create mode 100644 src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx new file mode 100644 index 000000000000000..794e2d8bcc9a55b --- /dev/null +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -0,0 +1,455 @@ +--- +params: + - ipRange + - productName + - tunnelsPath + - ciphersPath + - antiReplayPagePath + - cniLink + - productPathDash + - healthCheck + - productPathProbe + - antiReplayPagePath + - biVsUniHealthCheck + - tunnelHealthDash + - biVsUniHealthCheckDefaults + - productPathProbe +--- + +import { APIRequest, CURL, Details, GlossaryTooltip, Markdown, Render, TabItem, Tabs } from "~/components"; + +Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Cloudflare will assign two Cloudflare endpoint addresses shortly after your onboarding kickoff call that you can use as the tunnel destinations on your network location's routers/endpoints. + +To configure the tunnels between Cloudflare and your locations, you must provide the following data for each tunnel: + +- **Tunnel name**: For GRE tunnels, the name must have 15 or fewer characters. IPsec tunnels have no character limit. For both GRE and IPsec tunnels, the name cannot contain spaces or special characters, and cannot be shared with other tunnels. +- **Cloudflare endpoint address**: The public IP address of the Cloudflare side of the tunnel. +- **Customer endpoint**: A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like [Cloudflare Network Interconnect](/network-interconnect/), you do not need to provide endpoints because Cloudflare will provide them.
+ This value is not required for IPsec tunnels, unless your router is using an Internet Key Exchange (IKE) ID of type `ID_IPV4_ADDR`. +- **Interface address**: A 31-bit (recommended) or 30-bit subnet (`/31` or `/30` in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: + - `10.0.0.0/8` + - `172.16.0.0/12` + - `192.168.0.0/16` + - `169.254.240.0/20` {props.ipRange} + :::caution + Especially for cloud service providers that might automatically generate prefixes for you, make sure the prefixes are always within the allowed Cloudflare ranges, or the tunnel will not work. + ::: +- **TTL**: Time to Live (TTL) in number of hops for the GRE tunnel. The default value is 64. +- **MTU**: Maximum transmission unit (MTU) in bytes for the GRE tunnel. The default value is 1476. + + + +{/* gre-ipsec.mdx */} + +--- +params: + - productName + - tunnelsPath + - ciphersPath +--- + +You can use GRE or IPsec tunnels to onboard your traffic to {props.productName}, and set them up via the Cloudflare dashboard or the API. However, if you want to use the API, be sure to have your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [API key](/fundamentals/api/get-started/keys/#view-your-global-api-key) ready before you begin. + +:::note[Note] +IPsec tunnels only support Internet Key Exchange version 2 (IKEv2). +::: + +#### IPsec supported ciphers + +Refer to Tunnels and encapsulation to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the supported ciphers for IPsec. + + + + +{/* anti-replay.mdx */} + +--- +params: + - productName + - antiReplayPagePath +--- + +If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway. + +Refer to Anti-replay protection for more information on this topic, or [Add IPsec tunnels](#add-tunnels) below to learn how to enable this feature. + + + +{/* cni.mdx */} + +--- +params: + - cniLink +--- + +Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onboard your traffic to {props.productName}. Refer to Network Interconnect (CNI) for more information. + + + + +{/* add-tunnels.mdx */} + +--- +params: + - productName + - productPathDash + - healthCheck + - productPathProbe + - antiReplayPagePath + - biVsUniHealthCheck + - tunnelHealthDash + - biVsUniHealthCheckDefaults +--- + + +:::caution +Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall rules. If you have Magic Firewall enabled, ensure your rules allow ICMP traffic sourced from Cloudflare public IPs. Otherwise, health checks will fail. Refer to [Magic Firewall rules](/magic-firewall/about/ruleset-logic/#magic-firewall-rules-and-magic-transit-endpoint-health-checks) for more information. +::: + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Select **{props.productPathDash}**. +3. From the **Tunnels** tab, select **Create**. +4. On the **Add tunnels** page, choose either a **GRE tunnel** or **IPsec tunnel**. + +
+ +5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information. +6. Give your tunnel a description in **Description**. You do not have character restrictions here. +7. In **IPv4 Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space. +8. In **Customer GRE endpoint**, enter your router's public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it. +9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team. +10. Leave the default values for **TTL** and **MTU**. +11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. +12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_, and _High_. +13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. +14. The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. +15. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. +16. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**. +17. To add multiple tunnels, select **Add GRE tunnel** for each new tunnel. +18. After adding your tunnel information, select **Add tunnels** to save your changes. + +
+ +
+ +5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information. +6. Give your tunnel a description in **Description**. You do not have character restrictions here. +7. In **IPv4 Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space. +8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`. +9. In **Cloudflare endpoint**, enter the anycast address you received from your account team. +10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. +11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_ and _High_. +12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. +13. _(Optional)_ The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. +14. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. + + :::note + IPsec tunnels will not function without a pre-shared key (PSK). + ::: + +15. If you do not have a pre-shared key yet: + + 1. Select **Add pre-shared key later**. + 2. _(Optional)_ We recommend you test your tunnel configuration before officially adding it. To test the tunnel, select **Test tunnels**. + 3. Select **Add tunnels**. + 4. The Cloudflare dashboard will load the list of tunnels you have configured. The IPsec tunnel you have just created will be listed with a warning in the form of a triangle to let you know it is not yet functional. Select **Edit**. + 5. Choose **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Save the key to a safe place, and select **Done**. + +16. If you already have a pre-shared key: + + 1. Select **Use my own pre-shared key**. + 2. Paste your key in **Your pre-shared key**. + 3. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**. + 4. Select **Add tunnels**. + +17. (Optional) Enable **Replay protection** if you have devices that do not support disabling it. Refer to Anti-replay protection for more information. + +
+ + + + + +
+ +Create a `POST` request [using the API](/api/resources/magic_transit/subresources/gre_tunnels/methods/create/) to create a GRE tunnel. + +", + "description": "", + "interface_address": "", + "cloudflare_gre_endpoint": "", + "customer_gre_endpoint": "" + }} +/> + +```json output +{ + "errors": [ + { + "code": 1000, + "message": "message" + } + ], + "messages": [ + { + "code": 1000, + "message": "message" + } + ], + "result": { + "gre_tunnels": [ + { + "cloudflare_gre_endpoint": "", + "customer_gre_endpoint": "", + "interface_address": "", + "name": "", + "description": "", + "health_check": { + "direction": "unidirectional", + "enabled": true, + "rate": "low", + "type": "reply" + }, + "mtu": 0, + "ttl": 0 + } + ] + }, + "success": true +} +``` + +
+ +
+ +1. Create a `POST` request [using the API](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/create/) to create an IPsec tunnel. + + Note that in example below, replay protection is disabled by default. You can enable it with the flag `"replay_protection": true` for each IPsec tunnel, if the devices you use do not support disabling this feature. If you have already created IPsec tunnels, update them with a [`PUT` request](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/update/). Refer to Anti-replay protection for more information on this topic. + + ", + "description": "", + "interface_address": "", + "cloudflare_endpoint": "", + "customer_endpoint": "" + }} + /> + + ```json output + { + "errors": [ + { + "code": 1000, + "message": "message" + } + ], + "messages": [ + { + "code": 1000, + "message": "message" + } + ], + "result": { + "ipsec_tunnels": [ + { + "id": "", + "interface_address": "", + "name": "", + "cloudflare_endpoint": "", + "customer_endpoint": "", + "description": "", + "health_check": { + "direction": "unidirectional", + "enabled": true, + "rate": "low", + "type": "reply" + }, + "psk_metadata": {}, + "replay_protection": false + } + ] + }, + "success": true + } + ``` + + Take note of the tunnel `id` value. We will use it to generate a pre-shared key (PSK). + +2. Create a `POST` [request](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/psk_generate/) to generate a PSK. Use the tunnel `id` value you received from the previous command. + + + + ```json output + { + "result": { + "ipsec_id": "", + "ipsec_tunnel_id": "", + "psk": "", + "psk_metadata": { + "last_generated_on": "2025-03-13T14:28:47.054317925Z" + } + }, + "success": true, + "errors": [], + "messages": [] + } + ``` + + Take note of your `psk` value. + +3. Create a `PUT` [request](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/update/) to update your IPsec tunnel with the PSK. + + " + }} + /> + +```json output +{ + "result": { + "modified": true, + "modified_ipsec_tunnel": { + "id": "", + "interface_address": "", + "created_on": "2025-03-13T14:28:21.139535Z", + "modified_on": "2025-03-13T14:33:26.09683Z", + "name": "", + "cloudflare_endpoint": "", + "customer_endpoint": "", + "remote_identities": { + "hex_id": "", + "fqdn_id": "", + "user_id": "" + }, + "psk_metadata": { + "last_generated_on": "2025-03-13T14:28:47.054318Z" + }, + "description": "", + "health_check": { + "enabled": true, + "target": "", + "type": "reply", + "rate": "mid", + "direction": "unidirectional" + } + } + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +4. Use the `psk` value from step 3 to configure the IPsec tunnel on your equipment as well. + +
+ +
+ +Bidirectional health checks are available for GRE and IPsec tunnels. {props.biVsUniHealthCheckDefaults}. + +You can change this setting via the API with `"bidirectional"` or `"unidirectional"`: + + + +```json output +{ + "result": { + "modified": true, + "modified_ipsec_tunnel": { + "id": "", + "interface_address": "", + "created_on": "2025-03-13T14:28:21.139535Z", + "modified_on": "2025-03-13T14:33:26.09683Z", + "name": "", + "cloudflare_endpoint": "", + "customer_endpoint": "", + "remote_identities": { + "hex_id": "", + "fqdn_id": "", + "user_id": "" + }, + "psk_metadata": { + "last_generated_on": "2025-03-13T14:28:47.054318Z" + }, + "description": "", + "health_check": { + "enabled": true, + "target": "", + "type": "reply", + "rate": "mid", + "direction": "bidirectional" + } + } + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +
+ + + + + + +{/* bi-uni-health-checks.mdx */} + +--- +params: + - productPathProbe +--- + +To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy. + +Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional. + + +{/* mt-egress.mdx */} + +--- +{} + +--- + +If you are a Magic Transit customer with egress traffic, refer to [Magic Transit egress traffic](/magic-transit/reference/egress/) for more information on the technical aspects you need to consider to create a successful connection to Cloudflare. + + +{/* legacy-hc-system.mdx */} + +--- +{} + +--- + +For customers using the legacy health check system with a public IP range, Cloudflare recommends: + +- Configuring the tunnel health check target IP address to one within the `172.64.240.252/30` prefix range. +- Applying a policy-based route that matches [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare. From d4e83abd0434bf03ac05a9c342f96cdac8db9d88 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 13:48:53 +0000 Subject: [PATCH 02/23] removed markdown --- .../magic-transit/tunnel-endpoints/configure-tunnels.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 794e2d8bcc9a55b..4dfb157790f31d6 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -16,7 +16,7 @@ params: - productPathProbe --- -import { APIRequest, CURL, Details, GlossaryTooltip, Markdown, Render, TabItem, Tabs } from "~/components"; +import { APIRequest, CURL, Details, GlossaryTooltip, Render, TabItem, Tabs } from "~/components"; Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Cloudflare will assign two Cloudflare endpoint addresses shortly after your onboarding kickoff call that you can use as the tunnel destinations on your network location's routers/endpoints. From 62318e49df14581e31abf2c8399517686606f883 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 13:51:08 +0000 Subject: [PATCH 03/23] added gre ipsec tunnels subtitle --- .../tunnel-endpoints/configure-tunnels.mdx | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 4dfb157790f31d6..60668093fbc6837 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -1,6 +1,6 @@ --- params: - - ipRange + - ipRange? - productName - tunnelsPath - ciphersPath @@ -37,16 +37,9 @@ To configure the tunnels between Cloudflare and your locations, you must provide - **TTL**: Time to Live (TTL) in number of hops for the GRE tunnel. The default value is 64. - **MTU**: Maximum transmission unit (MTU) in bytes for the GRE tunnel. The default value is 1476. +## Ways to onboard traffic to Cloudflare - -{/* gre-ipsec.mdx */} - ---- -params: - - productName - - tunnelsPath - - ciphersPath ---- +### GRE and IPsec tunnels You can use GRE or IPsec tunnels to onboard your traffic to {props.productName}, and set them up via the Cloudflare dashboard or the API. However, if you want to use the API, be sure to have your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [API key](/fundamentals/api/get-started/keys/#view-your-global-api-key) ready before you begin. From c941a319bcc16c8a7442ce89ea2b6950c3ffd23e Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 13:55:52 +0000 Subject: [PATCH 04/23] removed note title --- .../magic-transit/tunnel-endpoints/configure-tunnels.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 60668093fbc6837..892e35a6a553192 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -43,7 +43,7 @@ To configure the tunnels between Cloudflare and your locations, you must provide You can use GRE or IPsec tunnels to onboard your traffic to {props.productName}, and set them up via the Cloudflare dashboard or the API. However, if you want to use the API, be sure to have your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [API key](/fundamentals/api/get-started/keys/#view-your-global-api-key) ready before you begin. -:::note[Note] +:::note IPsec tunnels only support Internet Key Exchange version 2 (IKEv2). ::: From da0dd2a522a506e788a266b5de354ae4e0a8651d Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 14:40:01 +0000 Subject: [PATCH 05/23] renamed vars --- .../magic-transit/tunnel-endpoints/configure-tunnels.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 892e35a6a553192..c10cd1ae96ebb73 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -2,8 +2,8 @@ params: - ipRange? - productName - - tunnelsPath - - ciphersPath + - tunnelsAndEncapsulationPagePath + - ciphersPagePath - antiReplayPagePath - cniLink - productPathDash @@ -49,7 +49,7 @@ IPsec tunnels only support Internet Key Exchange version 2 (IKEv2). #### IPsec supported ciphers -Refer to Tunnels and encapsulation to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the supported ciphers for IPsec. +Refer to Tunnels and encapsulation to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the supported ciphers for IPsec. From cd3ab491e6767063328371a4f15a3de86465a490 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 14:41:13 +0000 Subject: [PATCH 06/23] added anti replay --- .../tunnel-endpoints/configure-tunnels.mdx | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index c10cd1ae96ebb73..461ac28e69d0f85 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -51,16 +51,7 @@ IPsec tunnels only support Internet Key Exchange version 2 (IKEv2). Refer to Tunnels and encapsulation to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the supported ciphers for IPsec. - - - -{/* anti-replay.mdx */} - ---- -params: - - productName - - antiReplayPagePath ---- +#### Anti-replay protection If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway. From 914a50bf5732d6ac53403fb12a96577c7fb01775 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 14:42:25 +0000 Subject: [PATCH 07/23] add tunnels --- .../tunnel-endpoints/configure-tunnels.mdx | 27 ++----------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 461ac28e69d0f85..95edd34d13984d2 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -57,34 +57,11 @@ If you use {props.productName} and anycastAnti-replay protection for more information on this topic, or [Add IPsec tunnels](#add-tunnels) below to learn how to enable this feature. - - -{/* cni.mdx */} - ---- -params: - - cniLink ---- +### Network Interconnect (CNI) Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onboard your traffic to {props.productName}. Refer to Network Interconnect (CNI) for more information. - - - -{/* add-tunnels.mdx */} - ---- -params: - - productName - - productPathDash - - healthCheck - - productPathProbe - - antiReplayPagePath - - biVsUniHealthCheck - - tunnelHealthDash - - biVsUniHealthCheckDefaults ---- - +## Add tunnels :::caution Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall rules. If you have Magic Firewall enabled, ensure your rules allow ICMP traffic sourced from Cloudflare public IPs. Otherwise, health checks will fail. Refer to [Magic Firewall rules](/magic-firewall/about/ruleset-logic/#magic-firewall-rules-and-magic-transit-endpoint-health-checks) for more information. From 58d354a05b81c6df28ab06bc5265148d6f72531e Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 14:47:33 +0000 Subject: [PATCH 08/23] renamed vard --- .../tunnel-endpoints/configure-tunnels.mdx | 23 ++++++------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 95edd34d13984d2..7730388fb365500 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -8,12 +8,11 @@ params: - cniLink - productPathDash - healthCheck - - productPathProbe + - tunnelHealthChecksPage - antiReplayPagePath - biVsUniHealthCheck - tunnelHealthDash - biVsUniHealthCheckDefaults - - productPathProbe --- import { APIRequest, CURL, Details, GlossaryTooltip, Render, TabItem, Tabs } from "~/components"; @@ -82,9 +81,9 @@ Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall ru 8. In **Customer GRE endpoint**, enter your router's public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it. 9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team. 10. Leave the default values for **TTL** and **MTU**. -11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. +11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. 12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_, and _High_. -13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. +13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. 14. The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. 15. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. 16. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**. @@ -100,9 +99,9 @@ Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall ru 7. In **IPv4 Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space. 8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`. 9. In **Cloudflare endpoint**, enter the anycast address you received from your account team. -10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. +10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. 11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_ and _High_. -12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. +12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. 13. _(Optional)_ The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. 14. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. @@ -378,17 +377,9 @@ You can change this setting via the API with `"bidirectional"` or `"unidirection +## Bidirectional vs unidirectional health checks - - -{/* bi-uni-health-checks.mdx */} - ---- -params: - - productPathProbe ---- - -To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy. +To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy. Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional. From d45a368d667fe1f6de80c29ef9dbeb6dedb128c2 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 14:52:20 +0000 Subject: [PATCH 09/23] optional mt egress --- .../tunnel-endpoints/configure-tunnels.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 7730388fb365500..62b963b47c22128 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -1,5 +1,6 @@ --- params: + - magicWord? - ipRange? - productName - tunnelsAndEncapsulationPagePath @@ -383,15 +384,16 @@ To check for tunnel health, Cloudflare sends a +

If you are a Magic Transit customer with egress traffic, refer to [Magic Transit egress traffic](/magic-transit/reference/egress/) for more information on the technical aspects you need to consider to create a successful connection to Cloudflare.

+ + ) +} -{/* mt-egress.mdx */} ---- -{} ---- -If you are a Magic Transit customer with egress traffic, refer to [Magic Transit egress traffic](/magic-transit/reference/egress/) for more information on the technical aspects you need to consider to create a successful connection to Cloudflare. {/* legacy-hc-system.mdx */} From 5082a909c1f73f3cb164f1bd84259585d886ae9c Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 14:52:34 +0000 Subject: [PATCH 10/23] legacy hcs --- .../tunnel-endpoints/configure-tunnels.mdx | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 62b963b47c22128..8232c7240eb6ca3 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -391,17 +391,7 @@ Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirecti ) } - - - - - -{/* legacy-hc-system.mdx */} - ---- -{} - ---- +### Legacy bidirectional health checks For customers using the legacy health check system with a public IP range, Cloudflare recommends: From b11e1d95c59019e49cfd1b22256cd6f65b9bc2f6 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:17:40 +0000 Subject: [PATCH 11/23] refined render with extra info --- .../manually/how-to/configure-tunnels.mdx | 67 +++---------------- 1 file changed, 8 insertions(+), 59 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx index 42f59e770b6236f..333144a26747da2 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx @@ -11,79 +11,28 @@ description: Cloudflare recommends two tunnels for each ISP and network location import { GlossaryTooltip, Render } from "~/components"; - - -## Ways to onboard traffic to Cloudflare - -### GRE and IPsec tunnels - - - -#### Anti-replay protection - - - -### Network Interconnect (CNI) - - - -## Add tunnels - - Configuration", healthCheck: "/magic-wan/configuration/common-settings/tunnel-health-checks/", productPathProbe: "/magic-wan/reference/tunnel-health-checks/", antiReplayPagePath: "/magic-wan/reference/anti-replay-protection/", biVsUniHealthCheck: "bidirectional", tunnelHealthDash: "/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/", - biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional" - }} -/> + biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional", + tunnelHealthChecksPage: "/magic-wan/reference/tunnel-health-checks/" -## Bidirectional vs unidirectional health checks - - -### Legacy bidirectional health checks - - - ## Next steps - Now that you have set up your tunnel endpoints, you need to configure static routes to route your traffic through Cloudflare.
If you are connecting to Cloudflare through a [Direct CNI connection](/network-interconnect/express-cni/), you can [configure BGP routing](/magic-wan/configuration/manually/how-to/bgp-peering/) instead. From 37b33a741c543294e1117b5566782665b5a9dd00 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:24:17 +0000 Subject: [PATCH 12/23] updated var --- .../configuration/manually/how-to/configure-tunnels.mdx | 4 +--- .../magic-transit/tunnel-endpoints/configure-tunnels.mdx | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx index 333144a26747da2..d2457f67df25014 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx @@ -18,12 +18,10 @@ import { GlossaryTooltip, Render } from "~/components"; productName: "Magic WAN", tunnelsAndEncapsulationPagePath: "/magic-wan/reference/tunnels/", ciphersPagePath: "/magic-wan/reference/tunnels/#supported-configuration-parameters", - productName: "Magic WAN", antiReplayPagePath: "/magic-wan/reference/anti-replay-protection/", cniLink: "/magic-wan/network-interconnect/", productPathDash: "Magic WAN > Configuration", - healthCheck: "/magic-wan/configuration/common-settings/tunnel-health-checks/", - productPathProbe: "/magic-wan/reference/tunnel-health-checks/", + updateHCFrequencyPage: "/magic-wan/configuration/common-settings/tunnel-health-checks/", antiReplayPagePath: "/magic-wan/reference/anti-replay-protection/", biVsUniHealthCheck: "bidirectional", tunnelHealthDash: "/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/", diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index 8232c7240eb6ca3..fa20b526dd53e26 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -8,7 +8,7 @@ params: - antiReplayPagePath - cniLink - productPathDash - - healthCheck + - updateHCFrequencyPage - tunnelHealthChecksPage - antiReplayPagePath - biVsUniHealthCheck @@ -83,7 +83,7 @@ Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall ru 9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team. 10. Leave the default values for **TTL** and **MTU**. 11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. -12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_, and _High_. +12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_, and _High_. 13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. 14. The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. 15. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. @@ -101,7 +101,7 @@ Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall ru 8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`. 9. In **Cloudflare endpoint**, enter the anycast address you received from your account team. 10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. -11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_ and _High_. +11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_ and _High_. 12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. 13. _(Optional)_ The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. 14. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. From 78dd5d734ad29d3b79b093160291cbebbe450aa1 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:26:25 +0000 Subject: [PATCH 13/23] reorg vars --- .../configuration/manually/how-to/configure-tunnels.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx index d2457f67df25014..6b51e1de572255a 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx @@ -22,11 +22,11 @@ import { GlossaryTooltip, Render } from "~/components"; cniLink: "/magic-wan/network-interconnect/", productPathDash: "Magic WAN > Configuration", updateHCFrequencyPage: "/magic-wan/configuration/common-settings/tunnel-health-checks/", + tunnelHealthChecksPage: "/magic-wan/reference/tunnel-health-checks/", antiReplayPagePath: "/magic-wan/reference/anti-replay-protection/", biVsUniHealthCheck: "bidirectional", tunnelHealthDash: "/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/", - biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional", - tunnelHealthChecksPage: "/magic-wan/reference/tunnel-health-checks/" + biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional" }} /> From bb7bafa4b6b1af23917fe8061e2467fb2bbdb182 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:32:59 +0000 Subject: [PATCH 14/23] added render vars --- .../how-to/configure-tunnels.mdx | 54 +++++-------------- 1 file changed, 14 insertions(+), 40 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx index 207ecc83464205b..2a9d078f4e73a9c 100644 --- a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx @@ -11,56 +11,30 @@ description: Cloudflare recommends two tunnels for each ISP and network location import { GlossaryTooltip, Render } from "~/components"; - - -## Ways to onboard traffic to Cloudflare - -### GRE and IPsec tunnels - - - -#### Anti-replay protection - - - -### Network Interconnect (CNI) + cniLink: "/magic-transit/network-interconnect/", + productPathDash: "Magic Transit > Configuration", + updateHCFrequencyPage: "/magic-transit/how-to/tunnel-health-checks/", + tunnelHealthChecksPage: "/magic-transit/reference/tunnel-health-checks/", + antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/", + biVsUniHealthCheck: "unidirectional", + tunnelHealthDash: "/magic-transit/how-to/check-tunnel-health-dashboard/", + biVsUniHealthCheckDefaults: "For Magic Transit this option defaults to unidirectional" + }} /> - ## Add tunnels Configuration", - healthCheck: "/magic-transit/how-to/tunnel-health-checks/", - productPathProbe: "/magic-transit/reference/tunnel-health-checks/", - antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/", - biVsUniHealthCheck: "unidirectional", - tunnelHealthDash: "/magic-transit/how-to/check-tunnel-health-dashboard/", - biVsUniHealthCheckDefaults: "For Magic Transit this option defaults to unidirectional" + }} /> From d5fd493d8d7962e2f7e79343e7f11fbf4ba5d739 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:33:06 +0000 Subject: [PATCH 15/23] corrected var --- .../magic-transit/tunnel-endpoints/configure-tunnels.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index fa20b526dd53e26..c49ed4a2d15de5d 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -384,7 +384,7 @@ To check for tunnel health, Cloudflare sends a

If you are a Magic Transit customer with egress traffic, refer to [Magic Transit egress traffic](/magic-transit/reference/egress/) for more information on the technical aspects you need to consider to create a successful connection to Cloudflare.

From 65c2608da56e8cad326540a6a9b9e3bd0fac0b5b Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:51:00 +0000 Subject: [PATCH 16/23] deleted content not needed --- .../how-to/configure-tunnels.mdx | 25 ------------------- 1 file changed, 25 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx index 2a9d078f4e73a9c..13104894f372529 100644 --- a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx @@ -28,31 +28,6 @@ import { GlossaryTooltip, Render } from "~/components"; biVsUniHealthCheckDefaults: "For Magic Transit this option defaults to unidirectional" }} /> - -## Add tunnels - - - -## Bidirectional vs unidirectional health checks - - - - - -### Legacy bidirectional health checks - - - ## Next steps Now that you have set up your tunnel endpoints, you need to configure static routes to route your traffic through Cloudflare. From 8e7b24205cdff12ac51b665fe2b15fa19a9045dc Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:51:07 +0000 Subject: [PATCH 17/23] removed extra line --- .../configuration/manually/how-to/configure-tunnels.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx index 6b51e1de572255a..a52bc4dab87b4b0 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx @@ -27,7 +27,6 @@ import { GlossaryTooltip, Render } from "~/components"; biVsUniHealthCheck: "bidirectional", tunnelHealthDash: "/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/", biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional" - }} /> From 6a4dfd63e77a6f6a9fc234ff0964ed118aa18fd2 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 16:59:04 +0000 Subject: [PATCH 18/23] added link --- .../magic-transit/tunnel-endpoints/configure-tunnels.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx index c49ed4a2d15de5d..c186cb955e12ae4 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx @@ -386,7 +386,7 @@ Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirecti { props.magicWord === "Magic Transit" && ( <> -

If you are a Magic Transit customer with egress traffic, refer to [Magic Transit egress traffic](/magic-transit/reference/egress/) for more information on the technical aspects you need to consider to create a successful connection to Cloudflare.

+

If you are a Magic Transit customer with egress traffic, refer to Magic Transit egress traffic for more information on the technical aspects you need to consider to create a successful connection to Cloudflare.

) } From a85b231de792724bd015690f34e26bc9c9ac2cf0 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 17:03:05 +0000 Subject: [PATCH 19/23] deleted partials not needed --- .../partials/magic-transit/icmp-mfirewall.mdx | 10 - .../magic-transit/legacy-hc-system.mdx | 9 - .../tunnel-endpoints/add-tunnels.mdx | 326 ------------------ .../tunnel-endpoints/anti-replay.mdx | 11 - .../tunnel-endpoints/bi-uni-health-checks.mdx | 10 - .../magic-transit/tunnel-endpoints/cni.mdx | 10 - .../tunnel-endpoints/gre-ipsec.mdx | 18 - .../tunnel-endpoints/mt-egress.mdx | 6 - .../tunnel-endpoints/tunnel-endpoints.mdx | 25 -- 9 files changed, 425 deletions(-) delete mode 100644 src/content/partials/magic-transit/icmp-mfirewall.mdx delete mode 100644 src/content/partials/magic-transit/legacy-hc-system.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/cni.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/gre-ipsec.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/mt-egress.mdx delete mode 100644 src/content/partials/magic-transit/tunnel-endpoints/tunnel-endpoints.mdx diff --git a/src/content/partials/magic-transit/icmp-mfirewall.mdx b/src/content/partials/magic-transit/icmp-mfirewall.mdx deleted file mode 100644 index 77edda76583b1af..000000000000000 --- a/src/content/partials/magic-transit/icmp-mfirewall.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -{} - ---- - -import { GlossaryTooltip } from "~/components" - -:::caution -Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall rules. If you have Magic Firewall enabled, ensure your rules allow ICMP traffic sourced from Cloudflare public IPs. Otherwise, health checks will fail. Refer to [Magic Firewall rules](/magic-firewall/about/ruleset-logic/#magic-firewall-rules-and-magic-transit-endpoint-health-checks) for more information. -::: diff --git a/src/content/partials/magic-transit/legacy-hc-system.mdx b/src/content/partials/magic-transit/legacy-hc-system.mdx deleted file mode 100644 index 76fff130e42da16..000000000000000 --- a/src/content/partials/magic-transit/legacy-hc-system.mdx +++ /dev/null @@ -1,9 +0,0 @@ ---- -{} - ---- - -For customers using the legacy health check system with a public IP range, Cloudflare recommends: - -- Configuring the tunnel health check target IP address to one within the `172.64.240.252/30` prefix range. -- Applying a policy-based route that matches [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare. diff --git a/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx deleted file mode 100644 index a313e0a803833e9..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx +++ /dev/null @@ -1,326 +0,0 @@ ---- -params: - - productName - - productPathDash - - healthCheck - - productPathProbe - - antiReplayPagePath - - biVsUniHealthCheck - - tunnelHealthDash - - biVsUniHealthCheckDefaults ---- - -import { APIRequest, CURL, Details, Markdown, Render, TabItem, Tabs } from "~/components"; - - - - - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Select **{props.productPathDash}**. -3. From the **Tunnels** tab, select **Create**. -4. On the **Add tunnels** page, choose either a **GRE tunnel** or **IPsec tunnel**. - -
- -5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information. -6. Give your tunnel a description in **Description**. You do not have character restrictions here. -7. In **IPv4 Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space. -8. In **Customer GRE endpoint**, enter your router's public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it. -9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team. -10. Leave the default values for **TTL** and **MTU**. -11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. -12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_, and _High_. -13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. -14. The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. -15. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. -16. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**. -17. To add multiple tunnels, select **Add GRE tunnel** for each new tunnel. -18. After adding your tunnel information, select **Add tunnels** to save your changes. - -
- -
- -5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information. -6. Give your tunnel a description in **Description**. You do not have character restrictions here. -7. In **IPv4 Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space. -8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`. -9. In **Cloudflare endpoint**, enter the anycast address you received from your account team. -10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information. -11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_ and _High_. -12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to Tunnel health checks for more information. -13. _(Optional)_ The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details. -14. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_. - - :::note - IPsec tunnels will not function without a pre-shared key (PSK). - ::: - -15. If you do not have a pre-shared key yet: - - 1. Select **Add pre-shared key later**. - 2. _(Optional)_ We recommend you test your tunnel configuration before officially adding it. To test the tunnel, select **Test tunnels**. - 3. Select **Add tunnels**. - 4. The Cloudflare dashboard will load the list of tunnels you have configured. The IPsec tunnel you have just created will be listed with a warning in the form of a triangle to let you know it is not yet functional. Select **Edit**. - 5. Choose **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Save the key to a safe place, and select **Done**. - -16. If you already have a pre-shared key: - - 1. Select **Use my own pre-shared key**. - 2. Paste your key in **Your pre-shared key**. - 3. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**. - 4. Select **Add tunnels**. - -17. (Optional) Enable **Replay protection** if you have devices that do not support disabling it. Refer to Anti-replay protection for more information. - -
- - - - - -
- -Create a `POST` request [using the API](/api/resources/magic_transit/subresources/gre_tunnels/methods/create/) to create a GRE tunnel. - -", - "description": "", - "interface_address": "", - "cloudflare_gre_endpoint": "", - "customer_gre_endpoint": "" - }} -/> - -```json output -{ - "errors": [ - { - "code": 1000, - "message": "message" - } - ], - "messages": [ - { - "code": 1000, - "message": "message" - } - ], - "result": { - "gre_tunnels": [ - { - "cloudflare_gre_endpoint": "", - "customer_gre_endpoint": "", - "interface_address": "", - "name": "", - "description": "", - "health_check": { - "direction": "unidirectional", - "enabled": true, - "rate": "low", - "type": "reply" - }, - "mtu": 0, - "ttl": 0 - } - ] - }, - "success": true -} -``` - -
- -
- -1. Create a `POST` request [using the API](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/create/) to create an IPsec tunnel. - - Note that in example below, replay protection is disabled by default. You can enable it with the flag `"replay_protection": true` for each IPsec tunnel, if the devices you use do not support disabling this feature. If you have already created IPsec tunnels, update them with a [`PUT` request](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/update/). Refer to Anti-replay protection for more information on this topic. - - ", - "description": "", - "interface_address": "", - "cloudflare_endpoint": "", - "customer_endpoint": "" - }} - /> - - ```json output - { - "errors": [ - { - "code": 1000, - "message": "message" - } - ], - "messages": [ - { - "code": 1000, - "message": "message" - } - ], - "result": { - "ipsec_tunnels": [ - { - "id": "", - "interface_address": "", - "name": "", - "cloudflare_endpoint": "", - "customer_endpoint": "", - "description": "", - "health_check": { - "direction": "unidirectional", - "enabled": true, - "rate": "low", - "type": "reply" - }, - "psk_metadata": {}, - "replay_protection": false - } - ] - }, - "success": true - } - ``` - - Take note of the tunnel `id` value. We will use it to generate a pre-shared key (PSK). - -2. Create a `POST` [request](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/psk_generate/) to generate a PSK. Use the tunnel `id` value you received from the previous command. - - - - ```json output - { - "result": { - "ipsec_id": "", - "ipsec_tunnel_id": "", - "psk": "", - "psk_metadata": { - "last_generated_on": "2025-03-13T14:28:47.054317925Z" - } - }, - "success": true, - "errors": [], - "messages": [] - } - ``` - - Take note of your `psk` value. - -3. Create a `PUT` [request](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/update/) to update your IPsec tunnel with the PSK. - - " - }} - /> - -```json output -{ - "result": { - "modified": true, - "modified_ipsec_tunnel": { - "id": "", - "interface_address": "", - "created_on": "2025-03-13T14:28:21.139535Z", - "modified_on": "2025-03-13T14:33:26.09683Z", - "name": "", - "cloudflare_endpoint": "", - "customer_endpoint": "", - "remote_identities": { - "hex_id": "", - "fqdn_id": "", - "user_id": "" - }, - "psk_metadata": { - "last_generated_on": "2025-03-13T14:28:47.054318Z" - }, - "description": "", - "health_check": { - "enabled": true, - "target": "", - "type": "reply", - "rate": "mid", - "direction": "unidirectional" - } - } - }, - "success": true, - "errors": [], - "messages": [] -} -``` - -4. Use the `psk` value from step 3 to configure the IPsec tunnel on your equipment as well. - -
- -
- -Bidirectional health checks are available for GRE and IPsec tunnels. {props.biVsUniHealthCheckDefaults}. - -You can change this setting via the API with `"bidirectional"` or `"unidirectional"`: - - - -```json output -{ - "result": { - "modified": true, - "modified_ipsec_tunnel": { - "id": "", - "interface_address": "", - "created_on": "2025-03-13T14:28:21.139535Z", - "modified_on": "2025-03-13T14:33:26.09683Z", - "name": "", - "cloudflare_endpoint": "", - "customer_endpoint": "", - "remote_identities": { - "hex_id": "", - "fqdn_id": "", - "user_id": "" - }, - "psk_metadata": { - "last_generated_on": "2025-03-13T14:28:47.054318Z" - }, - "description": "", - "health_check": { - "enabled": true, - "target": "", - "type": "reply", - "rate": "mid", - "direction": "bidirectional" - } - } - }, - "success": true, - "errors": [], - "messages": [] -} -``` - -
- - diff --git a/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx b/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx deleted file mode 100644 index 90e8907d808dc2f..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -params: - - productName - - antiReplayPagePath ---- - -import { GlossaryTooltip, Markdown } from "~/components"; - -If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway. - -Refer to Anti-replay protection for more information on this topic, or [Add IPsec tunnels](#add-tunnels) below to learn how to enable this feature. diff --git a/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx b/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx deleted file mode 100644 index 123b0c35dbb9cbe..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -params: - - productPathProbe ---- - -import { Markdown } from "~/components"; - -To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy. - -Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional. diff --git a/src/content/partials/magic-transit/tunnel-endpoints/cni.mdx b/src/content/partials/magic-transit/tunnel-endpoints/cni.mdx deleted file mode 100644 index 6ca1cfa2dd3ecf6..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/cni.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -params: - - magicName - - cniPath - - productLink ---- - -import { Markdown } from "~/components"; - -Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onboard your traffic to {props.magicName}. Refer to {props.cniPath} for more information. diff --git a/src/content/partials/magic-transit/tunnel-endpoints/gre-ipsec.mdx b/src/content/partials/magic-transit/tunnel-endpoints/gre-ipsec.mdx deleted file mode 100644 index 8363d394de20914..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/gre-ipsec.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -params: - - productName - - tunnelsPath - - ciphersPath ---- - -import { Markdown } from "~/components"; - -You can use GRE or IPsec tunnels to onboard your traffic to {props.productName}, and set them up via the Cloudflare dashboard or the API. However, if you want to use the API, be sure to have your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [API key](/fundamentals/api/get-started/keys/#view-your-global-api-key) ready before you begin. - -:::note[Note] -IPsec tunnels only support Internet Key Exchange version 2 (IKEv2). -::: - -#### IPsec supported ciphers - -Refer to Tunnels and encapsulation to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the supported ciphers for IPsec. diff --git a/src/content/partials/magic-transit/tunnel-endpoints/mt-egress.mdx b/src/content/partials/magic-transit/tunnel-endpoints/mt-egress.mdx deleted file mode 100644 index 150d7787d093b2c..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/mt-egress.mdx +++ /dev/null @@ -1,6 +0,0 @@ ---- -{} - ---- - -If you are a Magic Transit customer with egress traffic, refer to [Magic Transit egress traffic](/magic-transit/reference/egress/) for more information on the technical aspects you need to consider to create a successful connection to Cloudflare. diff --git a/src/content/partials/magic-transit/tunnel-endpoints/tunnel-endpoints.mdx b/src/content/partials/magic-transit/tunnel-endpoints/tunnel-endpoints.mdx deleted file mode 100644 index 79272f6230ec88f..000000000000000 --- a/src/content/partials/magic-transit/tunnel-endpoints/tunnel-endpoints.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -params: - - ipRange ---- - -import { GlossaryTooltip, Markdown } from "~/components"; - -Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Cloudflare will assign two Cloudflare endpoint addresses shortly after your onboarding kickoff call that you can use as the tunnel destinations on your network location's routers/endpoints. - -To configure the tunnels between Cloudflare and your locations, you must provide the following data for each tunnel: - -- **Tunnel name**: For GRE tunnels, the name must have 15 or fewer characters. IPsec tunnels have no character limit. For both GRE and IPsec tunnels, the name cannot contain spaces or special characters, and cannot be shared with other tunnels. -- **Cloudflare endpoint address**: The public IP address of the Cloudflare side of the tunnel. -- **Customer endpoint**: A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like [Cloudflare Network Interconnect](/network-interconnect/), you do not need to provide endpoints because Cloudflare will provide them.
- This value is not required for IPsec tunnels, unless your router is using an Internet Key Exchange (IKE) ID of type `ID_IPV4_ADDR`. -- **Interface address**: A 31-bit (recommended) or 30-bit subnet (`/31` or `/30` in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: - - `10.0.0.0/8` - - `172.16.0.0/12` - - `192.168.0.0/16` - - `169.254.240.0/20` {props.ipRange} - :::caution - Especially for cloud service providers that might automatically generate prefixes for you, make sure the prefixes are always within the allowed Cloudflare ranges, or the tunnel will not work. - ::: -- **TTL**: Time to Live (TTL) in number of hops for the GRE tunnel. The default value is 64. -- **MTU**: Maximum transmission unit (MTU) in bytes for the GRE tunnel. The default value is 1476. From 4d98447dbe2859f6797397f9da388d3edd87e953 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 17:03:43 +0000 Subject: [PATCH 20/23] moved partial --- .../magic-transit/{tunnel-endpoints => }/configure-tunnels.mdx | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/content/partials/magic-transit/{tunnel-endpoints => }/configure-tunnels.mdx (100%) diff --git a/src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx b/src/content/partials/magic-transit/configure-tunnels.mdx similarity index 100% rename from src/content/partials/magic-transit/tunnel-endpoints/configure-tunnels.mdx rename to src/content/partials/magic-transit/configure-tunnels.mdx From 5e7037038b467ad4552b510df5afe9ba46143c5e Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 17:04:00 +0000 Subject: [PATCH 21/23] corrected path --- src/content/docs/magic-transit/how-to/configure-tunnels.mdx | 2 +- .../configuration/manually/how-to/configure-tunnels.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx index 13104894f372529..4996511b8670307 100644 --- a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx @@ -11,7 +11,7 @@ description: Cloudflare recommends two tunnels for each ISP and network location import { GlossaryTooltip, Render } from "~/components"; - Date: Mon, 24 Mar 2025 17:52:44 +0000 Subject: [PATCH 22/23] Apply suggestions from code review Co-authored-by: Jun Lee --- src/content/partials/magic-transit/configure-tunnels.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/partials/magic-transit/configure-tunnels.mdx b/src/content/partials/magic-transit/configure-tunnels.mdx index c186cb955e12ae4..9931634c3f4b5c6 100644 --- a/src/content/partials/magic-transit/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/configure-tunnels.mdx @@ -18,13 +18,13 @@ params: import { APIRequest, CURL, Details, GlossaryTooltip, Render, TabItem, Tabs } from "~/components"; -Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Cloudflare will assign two Cloudflare endpoint addresses shortly after your onboarding kickoff call that you can use as the tunnel destinations on your network location's routers/endpoints. +Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Shortly after your onboarding kickoff call, Cloudflare will assign two Cloudflare endpoint addresses that you can use as the tunnel destinations on your network location's routers/endpoints. To configure the tunnels between Cloudflare and your locations, you must provide the following data for each tunnel: - **Tunnel name**: For GRE tunnels, the name must have 15 or fewer characters. IPsec tunnels have no character limit. For both GRE and IPsec tunnels, the name cannot contain spaces or special characters, and cannot be shared with other tunnels. - **Cloudflare endpoint address**: The public IP address of the Cloudflare side of the tunnel. -- **Customer endpoint**: A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like [Cloudflare Network Interconnect](/network-interconnect/), you do not need to provide endpoints because Cloudflare will provide them.
+- **Customer endpoint**: A public Internet routable IP address which is outside of the prefixes that Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like [Cloudflare Network Interconnect](/network-interconnect/), you do not need to provide endpoints because Cloudflare will provide them.
This value is not required for IPsec tunnels, unless your router is using an Internet Key Exchange (IKE) ID of type `ID_IPV4_ADDR`. - **Interface address**: A 31-bit (recommended) or 30-bit subnet (`/31` or `/30` in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: - `10.0.0.0/8` @@ -32,7 +32,7 @@ To configure the tunnels between Cloudflare and your locations, you must provide - `192.168.0.0/16` - `169.254.240.0/20` {props.ipRange} :::caution - Especially for cloud service providers that might automatically generate prefixes for you, make sure the prefixes are always within the allowed Cloudflare ranges, or the tunnel will not work. + Make sure the prefixes are always within the allowed Cloudflare ranges, especially for cloud service providers that might automatically generate prefixes for you. Otherwise, the tunnel will not work. ::: - **TTL**: Time to Live (TTL) in number of hops for the GRE tunnel. The default value is 64. - **MTU**: Maximum transmission unit (MTU) in bytes for the GRE tunnel. The default value is 1476. From 753f37773fd89b244a08bccf1226af520b663da6 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 24 Mar 2025 18:00:29 +0000 Subject: [PATCH 23/23] re added icmp partial --- .../partials/magic-transit/configure-tunnels.mdx | 4 +--- src/content/partials/magic-transit/icmp-mfirewall.mdx | 10 ++++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 src/content/partials/magic-transit/icmp-mfirewall.mdx diff --git a/src/content/partials/magic-transit/configure-tunnels.mdx b/src/content/partials/magic-transit/configure-tunnels.mdx index 9931634c3f4b5c6..24ef93533d1ef4d 100644 --- a/src/content/partials/magic-transit/configure-tunnels.mdx +++ b/src/content/partials/magic-transit/configure-tunnels.mdx @@ -63,9 +63,7 @@ Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onb ## Add tunnels -:::caution -Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall rules. If you have Magic Firewall enabled, ensure your rules allow ICMP traffic sourced from Cloudflare public IPs. Otherwise, health checks will fail. Refer to [Magic Firewall rules](/magic-firewall/about/ruleset-logic/#magic-firewall-rules-and-magic-transit-endpoint-health-checks) for more information. -::: + diff --git a/src/content/partials/magic-transit/icmp-mfirewall.mdx b/src/content/partials/magic-transit/icmp-mfirewall.mdx new file mode 100644 index 000000000000000..77edda76583b1af --- /dev/null +++ b/src/content/partials/magic-transit/icmp-mfirewall.mdx @@ -0,0 +1,10 @@ +--- +{} + +--- + +import { GlossaryTooltip } from "~/components" + +:::caution +Internet Control Message Protocol (ICMP) traffic is subject to Magic Firewall rules. If you have Magic Firewall enabled, ensure your rules allow ICMP traffic sourced from Cloudflare public IPs. Otherwise, health checks will fail. Refer to [Magic Firewall rules](/magic-firewall/about/ruleset-logic/#magic-firewall-rules-and-magic-transit-endpoint-health-checks) for more information. +:::